diff --git a/ESXi/ansible/inventory.yml b/ESXi/ansible/inventory.yml index bc8ffb3..a00fe41 100644 --- a/ESXi/ansible/inventory.yml +++ b/ESXi/ansible/inventory.yml @@ -2,7 +2,7 @@ logger: hosts: - 192.168.3.158: + 192.168.3.205: ansible_user: vagrant ansible_password: vagrant ansible_port: 22 @@ -11,13 +11,13 @@ logger: dc: hosts: - 192.168.3.189: + 192.168.3.202: wef: hosts: - 192.168.3.194: + 192.168.3.203: win10: hosts: - 192.168.3.193: + 192.168.3.204: diff --git a/ESXi/ansible/roles/logger/tasks/main.yml b/ESXi/ansible/roles/logger/tasks/main.yml index 068ab9a..7b5a613 100644 --- a/ESXi/ansible/roles/logger/tasks/main.yml +++ b/ESXi/ansible/roles/logger/tasks/main.yml @@ -160,6 +160,14 @@ executable: /bin/bash become: yes shell: | + # Get a free Maxmind license here: https://www.maxmind.com/en/geolite2/signup + # Required for the ASNgen app to work: https://splunkbase.splunk.com/app/3531/ + export MAXMIND_LICENSE= + if [ -z $MAXMIND_LICENSE ]; then + echo "Note: You have not entered a MaxMind license key on line 5 of bootstrap.sh, so the ASNgen Splunk app may not work correctly." + echo "However, it is not required and everything else should function correctly." + fi + # Check if Splunk is already installed if [ -f "/opt/splunk/bin/splunk" ]; then echo "[$(date +%H:%M:%S)]: Splunk is already installed" @@ -183,7 +191,14 @@ # Download Hardcoded Splunk wget --progress=bar:force -O /opt/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb 'https://download.splunk.com/products/splunk/releases/8.0.2/linux/splunk-8.0.2-a7f645ddaf91-linux-2.6-amd64.deb&wget=true' fi - dpkg -i /opt/splunk*.deb + if ! ls /opt/splunk*.deb 1> /dev/null 2>&1; then + echo "Something went wrong while trying to download Splunk. This script cannot continue. Exiting." + exit 1 + fi + if ! dpkg -i /opt/splunk*.deb > /dev/null; then + echo "Something went wrong while trying to install Splunk. This script cannot continue. Exiting." + exit 1 + fi /opt/splunk/bin/splunk start --accept-license --answer-yes --no-prompt --seed-passwd changeme /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme' /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme' @@ -193,9 +208,9 @@ /opt/splunk/bin/splunk add index zeek -auth 'admin:changeme' /opt/splunk/bin/splunk add index suricata -auth 'admin:changeme' /opt/splunk/bin/splunk add index threathunting -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_500.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_800.tgz -auth 'admin:changeme' - /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_700.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-microsoft-sysmon_1062.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_110.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme' @@ -204,6 +219,13 @@ /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme' /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme' + # Install the Maxmind license key for the ASNgen App + if [ ! -z $MAXMIND_LICENSE ]; then + mkdir /opt/splunk/etc/apps/TA-asngen/local + cp /opt/splunk/etc/apps/TA-asngen/default/asngen.conf /opt/splunk/etc/apps/TA-asngen/local/asngen.conf + sed -i "s/license_key =/license_key = $MAXMIND_LICENSE/g" /opt/splunk/etc/apps/TA-asngen/local/asngen.conf + fi + # Add custom Macro definitions for ThreatHunting App cp /vagrant/resources/splunk_server/macros.conf /opt/splunk/etc/apps/ThreatHunting/default/macros.conf # Fix Windows TA macros @@ -385,7 +407,7 @@ echo "[$(date +%H:%M:%S)]: Installing Zeek..." sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list" wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key - apt-key add - /dev/null - name: Install Zeek Packages become: yes @@ -483,7 +505,7 @@ cd /opt apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz - tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 + tar -xf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0 ./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole." ldconfig cd /var/lib/tomcat8/webapps @@ -510,6 +532,6 @@ # Include Splunk and Zeek in the PATH echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc # Ping DetectionLab server for usage statistics - curl -A "DetectionLab-logger" "https://detectionlab.network/logger" + curl -s -A "DetectionLab-logger" "https://detectionlab.network/logger" diff --git a/README.md b/README.md index 161626b..25090e8 100644 --- a/README.md +++ b/README.md @@ -34,71 +34,24 @@ NOTE: This lab has not been hardened in any way and runs with default vagrant cr * All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) * SMBv1 Auditing is enabled - ## Requirements * 55GB+ of free disk space * 16GB+ of RAM * Packer 1.3.2 or newer -* Vagrant 2.2.2 or newer +* Vagrant 2.2.7 or newer * Virtualbox or VMWare Fusion/Workstation --- -## Quickstart -* [AWS](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform)) +## Building Detection Lab + +Please view the quickstart guides based on the operating system you are using. The AWS/Terraform DetectionLab can be launched from any operating system. + +* [AWS via Terraform](https://github.com/clong/DetectionLab/wiki/Quickstart---AWS-(Terraform)) * [MacOS](https://github.com/clong/DetectionLab/wiki/Quickstart---MacOS) * [Windows](https://github.com/clong/DetectionLab/wiki/Quickstart---Windows) * [Linux](https://github.com/clong/DetectionLab/wiki/Quickstart-Linux) - ---- - -## Building DetectionLab from Scratch -1. Determine which Vagrant provider you want to use. Current supported providers are: - - - Virtualbox - - VMware Workstation & Fusion - - Note: Virtualbox is free, the [VMWare Desktop Vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80 and is required to use Vagrant with VMware. - -There are currently three ways to build the lab: -* **Recommended**: Use the boxes hosted on [Vagrant Cloud](https://app.vagrantup.com/detectionlab). This method should take **~1 hour 20 minutes** total to download the boxes and provision the lab. -* Build the boxes yourself using Packer. This method will take ~1-2 hours to build the boxes and another ~90-120 minutes to provision them for a total of **2.5 - 4 hours**. -* [Provision the lab in AWS using Terraform](Terraform/README.md). The lab can be brought online in under **30 minutes**. - -If you choose to use the boxes hosted on Vagrant Cloud, you may skip steps 2 and 3. If you don't trust pre-built boxes, I recommend following steps 2 and 3 to build them on your machine. - - -2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 45 minutes. - -``` -$ cd detectionlab/Packer -$ packer build --only=[vmware|virtualbox]-iso windows_10.json -$ packer build --only=[vmware|virtualbox]-iso windows_2016.json -``` - -3. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder: - - `mv *.box ../Boxes` - -4. `cd` into the Vagrant directory: `cd ../Vagrant` and edit the `Vagrantfile`. Change the lines `cfg.vm.box = "detectionlab/win2016"` and `cfg.vm.box = "detectionlab/win10` to `cfg.vm.box = "../Boxes/windows_2016_.box"` and "`cfg.vm.box = "../Boxes/windows_10_.box"` respectively. - -5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload` - -6. **VMware Only:** - * [Buy a license](https://www.vagrantup.com/vmware/index.html#buy-now) for the VMware plugin - * Install it with `vagrant plugin install vagrant-vmware-desktop`. - * License it with `vagrant plugin license vagrant-vmware-desktop `. - * Download and install the VMware Vagrant utility: https://www.vagrantup.com/vmware/downloads.html - -7. Ensure you are in the base DetectionLab folder and run `./build.sh` (Mac & Linux) or `./build.ps1` (Windows). This script will do the following: - * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance. - * Provision the DC host and configure it as a Domain Controller - * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU - * Provision the Win10 host and configure it as a computer in the Workstations OU - -8. Build logs will be present in the `Vagrant` folder as `vagrant_up_.log`. If filing an issue, please paste the contents of that log into a Gist to help with debugging efforts. - -9. Navigate to https://192.168.38.105:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) -10. Navigate to https://192.168.38.105:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). +* [ESXi](https://github.com/clong/DetectionLab/tree/master/ESXi) --- diff --git a/build.ps1 b/build.ps1 index e6a4256..2dd3517 100644 --- a/build.ps1 +++ b/build.ps1 @@ -98,12 +98,12 @@ function check_vagrant { break } - # Check Vagrant version >= 2.2.2 + # Check Vagrant version >= 2.2.7 [System.Version]$vagrant_version = $(vagrant --version).Split(' ')[1] - [System.Version]$version_comparison = 2.2.2 + [System.Version]$version_comparison = 2.2.7 if ($vagrant_version -lt $version_comparison) { - Write-Warning 'It is highly recommended to use Vagrant 2.2.2 or above before continuing' + Write-Warning 'It is highly recommended to use Vagrant 2.2.7 or above before continuing' } } diff --git a/build.sh b/build.sh index 6886752..cd08d73 100755 --- a/build.sh +++ b/build.sh @@ -29,10 +29,10 @@ check_vagrant_path() { (echo >&2 "Please correct this before continuing. Quitting.") exit 1 fi - # Ensure Vagrant >= 2.2.2 + # Ensure Vagrant >= 2.2.7 # https://unix.stackexchange.com/a/285928 VAGRANT_VERSION="$(vagrant --version | cut -d ' ' -f 2)" - REQUIRED_VERSION="2.2.2" + REQUIRED_VERSION="2.2.7" # If the version of Vagrant is not greater than the required version if ! [ "$(printf '%s\n' "$REQUIRED_VERSION" "$VAGRANT_VERSION" | sort -V | head -n1)" = "$REQUIRED_VERSION" ]; then (echo >&2 "WARNING: It is highly recommended to use Vagrant $REQUIRED_VERSION or above before continuing")